Re: privilege escalation and potential data loss in logrotate

To: Florian Zumbiehl <florz@florz.de>
Cc: debian-qa@lists.debian.org, team@security.debian.org
Subject: Re: privilege escalation and potential data loss in logrotate
From: Paul Martin <pm@debian.org>
Date: Sun, 21 Nov 2010 14:36:18 +0000
Message-id: <[🔎] 20101121143618.GB23877@nowster.org.uk>
Mail-followup-to: Florian Zumbiehl <florz@florz.de>, debian-qa@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 20101120072344.GA20671@florz.florz.dyndns.org>
References: <[🔎] 20101120072344.GA20671@florz.florz.dyndns.org>

On Sat, Nov 20, 2010 at 08:23:44AM +0100, Florian Zumbiehl wrote:
> The short summary:
> 
> 1. There is a privilege escalation vulnerability in stable's logrotate,
>    verified to work for switching from the postgres user to root, probably
>    affecting the system users of about 40 packages. A fix for this has
>    been in testing for about a year now, the original bug report and a
>    first patch have been in the bug tracker for about four years now.

It has never been verified, and no proof was ever given.

> First of all, it's bug #388608. Unfortunately, quite a bit of the
> interesting communication was private, either with the maintainer, or
> with the security team, or both, so I can't reference it in some public
> location, and just pasting my own text fragments into this mail probably
> would not be particularly enlightening either.

Please feel free to make public any of the communication from me, with
the proviso that I can also make public any communication from you.

> Regarding the regression in the fix: With previous versions, it was
> guaranteed that unless you used the copytruncate option, you would not
> ever lose log messages due to rotation. With the fix, this guarantee
> does not exist anymore in cases where the program writing to the log
> file as well as logrotate may create the log file when it doesn't exist
> (which is a common setup, and which cannot even be avoided in many
> cases).

The problem is that your suggested fix is worse then the purported
vulnerability, causing potential data loss, and there is no way of
avoiding that due to the lack of any atomic filesystem operations that
would generate the file, check that it isn't vulnetable and set the
permissions and ownership simultaneously.

> If I don't see any solution emerging in a reasonable time frame, my next
> step would be a more-or-less mass filing against all those packages that
> some rough analysis suggests are affected by either the vulnerability
> or the regression so that their maintainers can take measures to work
> around the problem if they want to.

You are, of course, free to send me a working patch or pursue the
upstream authors (at Red Hat) for a fix.

-- 
Paul Martin <pm@debian.org>

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: privilege escalation and potential data loss in logrotate
  - From: Florian Zumbiehl <florz@florz.de>

References:
- privilege escalation and potential data loss in logrotate
  - From: Florian Zumbiehl <florz@florz.de>

Prev by Date: privilege escalation and potential data loss in logrotate
Next by Date: Re: privilege escalation and potential data loss in logrotate
Previous by thread: privilege escalation and potential data loss in logrotate
Next by thread: Re: privilege escalation and potential data loss in logrotate
Index(es):
- Date
- Thread